Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make slash optional in GDPR path #1353

Merged
merged 2 commits into from
Sep 24, 2024
+50 −41
Merged

Make slash optional in GDPR path #1353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d3d938
Make slash optional in GDPR path
matti-lamppu Sep 23, 2024
bd186dc
Add GDPR UUID to user admin and clarify TVP UUID
matti-lamppu Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions api/gdpr/urls.py
View file
Open in desktop

This file was deleted.

60 changes: 30 additions & 30 deletions tests/test_gdpr_api/test_gdpr_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@
def test_query_user_data__simple(api_client, settings):
user = UserFactory.create()

settings.GDPR_API_QUERY_SCOPE = "testprefix.gdprquery"
settings.GDPR_API_QUERY_SCOPE = "gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_QUERY_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.get(url)

Expand Down Expand Up @@ -70,11 +70,11 @@ def test_query_user_data__full(api_client, settings):
section: ApplicationSection = application.application_sections.first()
reservation: Reservation = ReservationFactory.create(user=user)

settings.GDPR_API_QUERY_SCOPE = "testprefix.gdprquery"
settings.GDPR_API_QUERY_SCOPE = "gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_QUERY_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.get(url)

Expand Down Expand Up @@ -363,11 +363,11 @@ def test_query_user_data__full(api_client, settings):
def test_query_user_data__user_not_found(api_client, settings):
user = UserFactory.create()

settings.GDPR_API_QUERY_SCOPE = "testprefix.gdprquery"
settings.GDPR_API_QUERY_SCOPE = "gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_QUERY_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": uuid.uuid4()})
url = reverse("gdpr_v1", kwargs={"uuid": str(uuid.uuid4())})
with patch_oidc_config():
response = api_client.get(url)

Expand All @@ -378,11 +378,11 @@ def test_query_user_data__user_not_found(api_client, settings):
def test_query_user_data__wrong_scope(api_client, settings):
user = UserFactory.create()

settings.GDPR_API_QUERY_SCOPE = "testprefix.gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=["testprefix.invalid"])
settings.GDPR_API_QUERY_SCOPE = "gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=["invalid"])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": uuid.uuid4()})
url = reverse("gdpr_v1", kwargs={"uuid": str(uuid.uuid4())})
with patch_oidc_config():
response = api_client.get(url)

Expand All @@ -393,11 +393,11 @@ def test_query_user_data__wrong_scope(api_client, settings):
def test_delete_user_data__should_anonymize(api_client, settings):
user = UserFactory.create(username="foo")

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -412,11 +412,11 @@ def test_delete_user_data__dont_anonymize_if_open_payments(api_client, settings)
reservation = ReservationFactory.create(user=user)
PaymentOrderFactory.create(reservation=reservation, status=OrderStatus.DRAFT, remote_id=uuid.uuid4())

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -443,11 +443,11 @@ def test_delete_user_data__dont_anonymize_if_open_reservations(api_client, setti
end = begin + datetime.timedelta(hours=2)
ReservationFactory.create(user=user, begin=begin, end=end, state=ReservationStateChoice.CREATED)

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -474,11 +474,11 @@ def test_delete_user_data__dont_anonymize_if_reservation_one_month_ago(api_clien
end = begin + datetime.timedelta(hours=2)
ReservationFactory.create(user=user, begin=begin, end=end, state=ReservationStateChoice.CONFIRMED)

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -503,11 +503,11 @@ def test_delete_user_data__dont_anonymize_if_open_applications(api_client, setti
user = UserFactory.create(username="foo")
ApplicationFactory.create_in_status_in_allocation(user=user)

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -532,11 +532,11 @@ def test_delete_user_data__cannot_anonymize_other_users_data(api_client, setting
user = UserFactory.create(username="foo")
other_user = UserFactory.create(username="bar")

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": other_user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(other_user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -549,9 +549,9 @@ def test_delete_user_data__cannot_anonymize_other_users_data(api_client, setting
def test_delete_user_data__not_authenticated(api_client, settings):
user = UserFactory.create(username="foo")

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -564,11 +564,11 @@ def test_delete_user_data__not_authenticated(api_client, settings):
def test_delete_user_data__wrong_scope(api_client, settings):
user = UserFactory.create(username="foo")

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=["testprefix.wrong_scope"])
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=["wrong_scope"])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url)

Expand All @@ -581,11 +581,11 @@ def test_delete_user_data__wrong_scope(api_client, settings):
def test_query_user_data__insufficient_loa(api_client, settings):
user = UserFactory.create(username="foo")

settings.GDPR_API_QUERY_SCOPE = "testprefix.gdprquery"
settings.GDPR_API_QUERY_SCOPE = "gdprquery"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_QUERY_SCOPE], loa="low")
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.get(url)

Expand All @@ -599,11 +599,11 @@ def test_query_user_data__insufficient_loa(api_client, settings):
def test_delete_user_data__dont_anonymize_if_dryrun(api_client, settings, dry_run):
user = UserFactory.create(username="foo")

settings.GDPR_API_DELETE_SCOPE = "testprefix.gdprdelete"
settings.GDPR_API_DELETE_SCOPE = "gdprdelete"
auth_header = get_gdpr_auth_header(user, scopes=[settings.GDPR_API_DELETE_SCOPE])
api_client.credentials(HTTP_AUTHORIZATION=auth_header)

url = reverse("gdpr_v1", kwargs={"uuid": user.uuid})
url = reverse("gdpr_v1", kwargs={"uuid": str(user.uuid)})
with patch_oidc_config():
response = api_client.delete(url, data={"dry_run": dry_run})

Expand Down
10 changes: 8 additions & 2 deletions tilavarauspalvelu/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
from django.conf import settings
from django.conf.urls.static import static
from django.contrib import admin
from django.urls import include, path, reverse
from django.urls import include, path, re_path, reverse
from django.views.decorators.csrf import csrf_exempt
from graphene_django_extensions import FileUploadGraphQLView

from api.gdpr.views import TilavarauspalveluGDPRAPIView
from api.rest.views import csrf_view, reservation_ical, terms_of_use_pdf
from api.webhooks.urls import webhook_router

Expand Down Expand Up @@ -34,7 +35,12 @@
path("v1/webhook/", include(webhook_router.urls)),
path("pysocial/", include("social_django.urls", namespace="social")),
path("helauth/", include("api.helauth.urls")),
path("gdpr/v1/", include("api.gdpr.urls")),
re_path(
# GDPR UUID's are v1, not v4!
r"gdpr/v1/user/(?P<uuid>[\da-fA-F]{8}-[\da-fA-F]{4}-[\da-fA-F]{4}-[\da-fA-F]{4}-[\da-fA-F]{12})/?$",
TilavarauspalveluGDPRAPIView.as_view(),
name="gdpr_v1",
),
path("tinymce/", include("tinymce.urls")),
path("csrf/", csrf_view),
]
Expand Down
14 changes: 12 additions & 2 deletions users/admin/user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,8 @@ class UserAdmin(admin.ModelAdmin):
"fields": [
"last_login",
"date_joined",
"tvp_uuid",
"statistics_uuid",
"gdpr_uuid",
"department_name",
"profile_id",
"date_of_birth",
Expand Down Expand Up @@ -168,7 +169,8 @@ class UserAdmin(admin.ModelAdmin):
"last_login",
"date_joined",
"id_token",
"tvp_uuid",
"statistics_uuid",
"gdpr_uuid",
"ad_groups",
"department_name",
"profile_id",
Expand Down Expand Up @@ -208,6 +210,14 @@ def anonymize_user_data(self, request, queryset) -> None:
for user in queryset.all():
anonymize_user_data(user)

@admin.display(description="Statistics UUID")
def statistics_uuid(self, user: User) -> str:
return user.tvp_uuid

@admin.display(description="GDPR UUID")
def gdpr_uuid(self, user: User) -> str:
return user.uuid

@admin.display(description="Issuer (iss)")
def issuer(self, user: User) -> str:
if user.id_token is None:
Expand Down